Light bulb Limited Spots Available: Secure Your Lifetime Subscription on Gumroad!

Apr 30, 2026 · 6 min read

North Korean Hackers Spent Months Building Their Fake Zoom Trap—Five Minutes Was All They Needed Once You Clicked

BlueNoroff sends Calendly invites months in advance. By the time you click, the other faces in the meeting are AI deepfakes, the Zoom URL is typosquatted, and a clipboard injection is already running. Arctic Wolf documented 100 targets across 20 countries—80% in crypto, 45% CEOs or founders.

Laptop screen showing a video conference with multiple webcam tiles of participants, with subtle uncanny valley imperfections suggesting AI generated faces

The Calendar Is the Weapon

The setup looks innocuous. A LinkedIn message arrives from someone who knows your space. They suggest a "catch up" call. You accept the Calendly link, pick a slot two months out, and forget about it.

Two months later, the calendar invite reminds you of the meeting. The Google Meet link in the body has been quietly replaced. The new URL looks like Zoom or Microsoft Teams, with familiar parameters and what appears to be your own organization's domain hidden in a subdomain. You click. You join. The meeting room loads.

According to Arctic Wolf Labs research, what happens next takes less than five minutes. The fake meeting room shows other participants. Their video tiles cycle an "active speaker" indicator every three to five seconds. They appear to nod, gesture, and breathe. Some are AI deepfakes. Some are stolen footage of real executives. None of them are in the meeting with you.

Click to Compromise in 5 Minutes

The fake interface launches a chain that researchers have now mapped end to end:

  1. Webcam exfiltration. Your camera turns on. The feed is captured and shipped to attacker infrastructure. That footage becomes raw material for the next victim's "fake meeting" tile.
  2. ClickFix clipboard injection. The page asks you to paste a "diagnostic" command to fix audio. The command runs PowerShell.
  3. PowerShell C2. A command and control implant deploys. It opens a persistent channel to the attackers.
  4. Browser injection. An AES encrypted payload hooks into Chrome and Edge processes, targeting MetaMask, Phantom, Coinbase Wallet, and other extensions.
  5. Telegram screenshot exfiltration. Periodic screenshots of the desktop ship out through the Telegram Bot API, which most enterprise firewalls treat as benign.

By the time the "host" apologizes for technical issues and asks to reschedule, your machine is owned. Arctic Wolf observed an average of 66 days of attacker persistence after the initial click.

The Self Reinforcing Engine

The most disturbing part is what makes the campaign scale. Each compromised victim's webcam footage is recycled. Their face shows up as a "participant" in the next target's fake Zoom call. As Arctic Wolf put it, this is "the self reinforcing engine powering the whole campaign: each new victim generates the raw material needed to make the next attack more convincing."

If you are a CEO at a crypto company and you join a fake meeting where another CEO you recognize is on the call, the trust signal is overwhelming. That recognition is exactly what BlueNoroff has been harvesting from prior victims.

Who They Are Targeting

Arctic Wolf identified 100 additional targets through infrastructure analysis. The breakdown:

  • 41 in the United States
  • 11 in Singapore
  • 7 in the United Kingdom
  • 80% in cryptocurrency or blockchain finance
  • 45% are CEOs or founders

More than 80 typosquatted domains were registered between late 2025 and April 2026 to support the operation. The first BlueNoroff intrusion researchers tied to this campaign was detected on January 23, 2026. The infrastructure has been live for over 95 days.

The April Pattern

North Korean operations stole more in two April incidents than the rest of the world's crypto thieves combined. Kelp DAO lost $290 million the weekend before April 20 after attackers exploited its LayerZero bridge configuration. Drift Protocol was hit for $285 million in the same window. LayerZero attributed the Kelp DAO theft to TraderTraitor, another DPRK group.

TRM Labs reported that North Korea now accounts for 76% of 2026 crypto hack losses, with cumulative theft since 2017 topping $6 billion. The pattern that links those numbers to BlueNoroff is the social engineering layer: months of low pressure relationship building before any payload runs.

BlueNoroff in the Lazarus Family

BlueNoroff is also tracked as APT38, Stardust Chollima, and Nickel Gladstone. It is the financially motivated subset of North Korea's Lazarus apparatus. While the broader Lazarus group conducts espionage and destructive operations, BlueNoroff exists to fund the regime through theft.

The group's evolution over the last 18 months has been a steady move from email phishing toward conferencing platforms. The reason is straightforward: enterprise email defenses have improved. Calendar and meeting platforms have not. Gmail and Outlook will sandbox attachments and rewrite URLs. Calendly invites get through. Zoom links resolve at click time. The attack surface migrated to where the controls were thinnest.

What Crypto Teams Should Do Right Now

The defenses are unglamorous but specific:

  • Audit your Calendly and other scheduling tool history. Review meetings booked more than 30 days in advance with first time external contacts. Cancel and reschedule with a fresh link if anything looks off.
  • Verify Zoom and Teams URLs by domain. Real Zoom is zoom.us. Real Teams is teams.microsoft.com or teams.live.com. Anything else, including subdomains pretending to be your own company, is a red flag.
  • Never paste a command from a meeting page. ClickFix attacks rely on convincing the victim that a "fix" requires running something in PowerShell or Terminal. Legitimate video conferencing never asks for that.
  • Treat every cold introduction with months of buildup as a candidate threat. The slow approach is the BlueNoroff signature. Real recruiters and investors do not need three months of LinkedIn warmup before a 30 minute call.
  • Use a hardware wallet for everything material. Browser wallet extensions are the explicit target of the BlueNoroff browser injection module.

The Larger Trend

BlueNoroff's Calendly campaign sits at the intersection of two trends that are reshaping social engineering. AI generated video has become cheap enough to fake real time conferencing. And state aligned actors have moved from one shot phishing emails to multi month relationship campaigns. The same model is showing up in the ATHR AI vishing platform that hunts Gmail and Microsoft 365 users, in the Venom phishing service that targets executives, and in the EvilTokens device code phishing campaign that bypasses MFA.

The lesson for any executive in the crypto, fintech, or AI space is structural. The next "introduction" you take from a stranger you have never met may have been preparing for you for months. The fake meeting will look real. The faces will look familiar. The five minute window starts the moment you click join.

Stop Email Tracking in Gmail

Spy pixels track when you open emails, where you are, and what device you use. Gblock blocks them automatically.

Try Gblock Free for 30 Days

No credit card required. Works with Chrome, Edge, Brave, and Arc.